Overview

overview

10

Static

static

1

Spoofer.bat

windows7-x64

8

Spoofer.bat

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    Spoofer.bat

  • Size

    293KB

  • Sample

    250125-sdlftszjan

  • MD5

    eafc5ba9f6f74bfced619180451718d1

  • SHA1

    1bf80060b1af65d0ae1c4e10ba681acdb97127da

  • SHA256

    1ecacd9c2ab0bc3acfde09e2819c2390e231110f5923fdd9ee26dfe76ccd337f

  • SHA512

    391e30a38a44bdde182a982067a68442e41f4d43cfee136fd7560c56cc0a537da03dcb6241675c69f3d57bd09d5f385d2674f9f708f450d88cc1314009e6d591

  • SSDEEP

    3072:3W+656Qjki8jgdcsZ9nd7Ab62C2TMT/CuL9j0XqwQ/HJ7kntdCoq+Saafyl9w5:3W+IWgdc0ZAu2m/7LdZwYHJmDFSJCi5

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

C2

kind-sofa.gl.at.ply.gg:31503

Attributes
  • Install_directory

    %ProgramData%

  • install_file

    USB.exe

Targets

    • Target

      Spoofer.bat

    • Size

      293KB

    • MD5

      eafc5ba9f6f74bfced619180451718d1

    • SHA1

      1bf80060b1af65d0ae1c4e10ba681acdb97127da

    • SHA256

      1ecacd9c2ab0bc3acfde09e2819c2390e231110f5923fdd9ee26dfe76ccd337f

    • SHA512

      391e30a38a44bdde182a982067a68442e41f4d43cfee136fd7560c56cc0a537da03dcb6241675c69f3d57bd09d5f385d2674f9f708f450d88cc1314009e6d591

    • SSDEEP

      3072:3W+656Qjki8jgdcsZ9nd7Ab62C2TMT/CuL9j0XqwQ/HJ7kntdCoq+Saafyl9w5:3W+IWgdc0ZAu2m/7LdZwYHJmDFSJCi5

    Score
    10/10
    executionxwormrattrojan

    • Detect Xworm Payload

    • Xworm

      Xworm is a remote access trojan written in C#.

      trojanratxworm

    • Xworm family

      xworm

    • Blocklisted process makes network request

    • Command and Scripting Interpreter: PowerShell

      Run Powershell and hide display window.

      execution

    • Deletes itself

    • Drops startup file

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks